mytob virus

grant.bain · ‎06-17-2005

Any chance Cisco can release more IDS alarms for the "mytob" virus? 5 variants have an alarm at the moment but we know that other variants are on our network and I would like to see them on IDS to help us detect and disinfect PCs.

Does anyone else have an issue with this?

wsulym · ‎06-21-2005

Grant,

We generally don't write signatures for variants of virus'. We actually try not to write a signature for the virus itself, but rather the vulnerability. So for example, our signature 3327 catches exploitation of the Microsoft RPC DCOM vulnerability, which just so happens to be W32.Gaobot's prefered method of propogation. One signature catches numerous variants because basically, they all behave the same. And of course any other virus that spreads via the same vulnerability, is also picked up. Thats the general guiding principle, but there are exceptions. We do have a partnership with Trend, and anything that jumps up to a high overall risk rating, will end up with a signature on the IDS/IPS products. Thus why there are some MyTob signatures, but not for every variant. I know a couple of the variants spread via the LSASS vulnerability (which we have a signature for) - so if those are floating around, sigID 3338 should fire. The majority of MyTob, however, appear to all be transfered via email attachments.

So to summarize - we focus on the vulnerability - one signature catches numerous variants. There are exceptions, and outbreaks that are nasty or have the potential to become nasty very quickly end up with their own signature. Overall, we don't write signatures for every variant of a virus.

Hope that helps to shed some light on the matter.